GET STARTED ON DRIFTCTL
GET STARTED ON DRIFTCTL
Welcome to this walkthrough that will get you started on driftctl in a couple of steps. In this blog post, we’ll show the simplest but secure way we can use authentication with AWS and driftctl: a read-only IAM dedicated user and an optional separate IAM profile to access the S3 bucket that contains the Terraform states.
Driftctl needs the lowest read-only access rights possible and uses the standard AWS CLI environment variables like
So, for example, if you already have an AWS profile configured in
~/.aws/credentials, to use with Terraform, you can use it directly with driftctl:
$ AWS_PROFILE="terraform" driftctl scan [...]
AWS_SECRET_ACCESS_KEYenvironment variables, and then use driftctl that will automatically pick them up to authenticate on AWS. Remember to also export a default AWS region
$ export AWS_ACCESS_KEY_ID=AKAEIOU1234567890 $ export AWS_SECRET_ACCESS_KEY=poiuytrewq0987654321 $ export AWS_REGION=us-east-1 $ driftctl scan [...]
More information on basic AWS authentication can be found in the AWS CLI User Guide.
It can be as simple as that!
See below if you have to authenticate separately to access the Terraform states inside your S3 bucket.
Though using an already existing AWS profile can be easy to get started, you probably want to choose a more secure option. To begin with, driftctl doesn’t need “write” access to anything! So if you use the same AWS profile as for Terraform, it’s giving too many access rights.
The quick’n’simple path: a Read-Only Policy
Here’s a simple and secure read-only option to get you securely started in less than 2 minutes.
$ aws configure --profile driftctl-ro AWS Access Key ID [None]: AKIASBXWQ3AEXANOKE AWS Secret Access Key [None]: ********************* Default region name [us-east-2]: us-east-1 Default output format [None]:
You’re now ready to use driftctl with a dedicated and more secure, read-only, AWS profile:
$ cd path/to/terraform/directory $ AWS_PROFILE="driftctl-ro" driftctl scan
It’s a common pattern among teams to use a different authentication for the Terraform state files. Sometimes it’s to share a single S3 bucket with different teams, sometimes it’s for fine-grained access control, sometimes it’s just for pure isolation in a different AWS account. You know you’re probably in this case if you have a specially crafted configuration for your S3 backend in Terraform.
Whatever reason you have to need a different user profile, you can use it with driftctl with the
DCTL_S3_PROFILE (for the profile) and
DCTL_S3_REGION (for the S3 bucket region) environment variables.
So, if your AWS profile to access the “mycompany-s3-terraform” S3 bucket is named “s3-terraform” and the different region is “us-west-2”, then the full setup for the environment would look like this:
$ export DCTL_S3_PROFILE="s3-terraform" $ export DCTL_S3_REGION="us-west-2" $ export AWS_PROFILE="driftctl-ro" $ driftctl scan tfstate+s3://mycompany-s3-terraform/**/*.tfstate [...]
if you’re interested in discovering more precise authentication options or access policies (like a least-privileged policy), CloudFormation templates, Terraform examples, and more, please consult the driftctl documentation!
Now that you are ready to use driftctl securely, your next step will be to configure your Terraform provider version before you can scan your account for resources not managed by Infrastructure as Code.
Get product updates and occasional news.